This question already has an answer here:
- How do I deal with a compromised server? 6 answers
My website is wirten in Joomla. The provider turned it off saying it has been phished.
REQUIRES PHILIPPINES PROXY TO VIEW IP Address: 126.96.36.199 Phishing Content: hxxps://www .officinadelle11 .it /portal/onlinebanking/verify_success.php hxxps://www .officinadelle11 .it /portal/onlinebanking/sign-in/index.php Brand Phished: Bank of Philippine Islands (BPI Express Online) Legitimate Brand URL's: http://bpi.com.ph http://bpidirect.com http://bpiexpressonline.com http://expressnet.ph https://beta.bpiexpressonline.com http://bpiautoloans.com http://bpiautomadness.com http://bpihousingloans.com http://bpiloans.com http://bpipersonalloans.com http://kanegosyo.com.ph http://kanegosyo.com http://bpicard.ph http://bpithrills.ph http://bpitravel.ph http://bpiunlock.ph
I checked the FTP space and surprisingly there two files I never uploaded: one is called alex.php and another is a php class for unzip. The alex.php is really a submission form with translations in russian. I aske myself: how is possible to upload files to my FTP space? The credentials are very strong…